What Makes IoT Security in Hospitals Different

By Mor Ahuvia, Product Marketing Manager, Security Platforms

Join the webinar: Preventing Attacks on IoT Devices and Networks

Register: AMER | EMEA

When it comes to securing their internet of things (IoT) devices, hospitals struggle with unique challenges. For some healthcare facilities, these challenges have been exasperated with the Covid-19 pandemic due to increased workload and pressure.

What’s at stake? Hint: It’s more than ePHI

Only recently, the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued medical advisories about 21 vulnerabilities in popular medical devices. Most issues have to do with the confidentiality of electronic protected health information (ePHI).

That in itself is a huge issue for victims of medical identity, as well as hospitals required to foot the bill in the breach aftermath, with healthcare organizations facing the highest costs, averaging $6.45 million per incident, or 65 percent higher than the industry average.

But it doesn’t stop at ePHI and remediation costs. One of the vulnerabilities reported by DHS CISA “could allow an attacker to change treatment status information,” and by inference, the course of treatment itself.

What about manipulating dosages administered to patients? Cyber security researchers at CyberMDX have demonstrated that exploiting vulnerabilities in certain devices that provide “mounting, power, and communication support to infusion pumps” could “allow a malicious attacker to completely disable the device, install malware, or report false information. In extreme cases, the attacker could even communicate directly with pumps connected to the gateway to alter drug dosages and infusion rates.”

Why Hospitals are IoT Security Unicorns

So what makes IoT security in hospitals different? Below are salient traits and considerations.

  • Unsecured life-supporting devices – There are 10 to 15 medical devices per bed, and new smart beds monitor up to 35 data points, including blood, oxygen, and pressure sensors. However, as many of these devices were designed with little to no security in mind, they may have hardcoded passwords that facilitate tampering by anyone with physical or network access. Other security measures that may not be present include user authentication and absence of encryption in wireless communications.
  • Legacy operating systems (OSs)Almost half of connected medical devices run on unsupported OSs that no longer receive security updates. These include ultrasound machines, MRIs and more, and makes them low hanging fruit for cyber attacks, such as ransomware. In fact, Check Point Researchers have demonstrated the ease with which an ultrasound machine running on an old Windows operating system could be compromised, revealing the entire database of patient images. Unsurprising, recent months have seen a 75% spike in ransomware attacks on healthcare entities.
  • Lucrative health recordsSold on the darkweb for up to $1,000 per record, compromised electronic health records make for very attractive targets. Hospitals spend an average of $430 per record to mitigate each stolen medical identity.
  • Multiple IoT device types – Not only are hospitals’ medical devices vulnerable to compromise, but smart office and building management systems (BMS) assets are prime targets, too, whether as a segue into the hospital network or as a target for manipulation and takeover. These include common things like IP cameras, smart elevators and printers, as well as connected BMS assets like HVAC systems, backup power generators and even smart water pipes that help report and reduce leakages.

Hardening Hospital Devices and Networks

The good news is that hospitals and healthcare manufacturers can both take preventive measures to minimize their security risk exposure.

At the network level hospitals can:

  • Ensure visibility into all their medical devices, and identify high risk devices
  • Address critical vulnerabilities with the manufacturers or use proper network configuration
  • Segment the IT network from IoT network or IoT device zones, and segment device clusters into IoT device zones so that only relevant devices communicate with each other
  • Prevent exploits of known weaknesses using virtual patching
  • Utilize security rules and threat intelligence to prevent malicious intent from reaching IoT devices, and prevent infected devices from compromising additional network elements
  • Aim for centralized monitoring and alerting to accelerate detection and response

At the device level, medical device manufacturers can:

    • Assess the security of their device’s firmware to uncover gaps and remediate them (sign up for a firmware risk assessment here)
    • Add on-device run-time protection using nano agents to prevent device-level zero day attacks, including control flow hijacking, memory corruption and shell injection.

Jumpstart your Healthcare IoT Security

Don’t leave your IoT Security to chance. Join Check Point and our partners Medigate for a webinar on 20th July, to learn the healthcare IoT security basics and start your journey to a safer hospital and better-secured patients. You can also read about the joint solution here.